From c6e84e7f67392174f56440ed76cbcbcfdebc98bb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 2 Oct 2023 13:11:39 -0400 Subject: [PATCH] Update Changelog and VERSION for release 2.20231002. Signed-off-by: Chris PeBenito --- Changelog | 339 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 340 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 76cd60fdc6..f4eaeb53be 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,342 @@ +* Mon Oct 02 2023 Chris PeBenito - 2.20231002 +Chris PeBenito (122): + tests.yml: Pin ubuntu 20.04. + tests.yml: Pin ubuntu 20.04. + fstools: Move lines. + munin: Move munin_rw_tcp_sockets() implementation. + munin: Whitespace change. + systemd: Tmpfilesd can correct seusers on files. + iscsi: Read initiatorname.iscsi. + lvm: Add fc entry for /etc/multipath/* + sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets() + Define user_namespace object class. + chromium: Allow user namespace creation. + mozilla: Allow user namespace creation. + systemd: Allow user namespace creation. + container: Allow user namespace creation for all container engines. + Update eg25manager.te + switcheroo: Whitespace fix. + unconfined: Keys are linkable by systemd. + postgresql: Move lines + Add append to rw and manage lnk_file permission sets for consistency. + +Christian Schneider (1): + systemd-generator: systemd_generator_t load kernel modules used for e.g. + zram-generator + +Corentin LABBE (20): + udev: permit to read hwdb + fstools: handle gentoo place for drivedb.h + mount: dbus interface must be optional + mcelog: add missing file context for triggers + munin: add file context for common functions file + rsyslog: add label for /var/empty/dev/log + munin: disk-plugin: transition to fsadm + munin: add fc for munin-node plugin state + usermanage: permit groupadd to read kernel sysctl + portage: Remove old binary location + portage: add go/hg source control files + portage: add new location for portage commands + portage: add missing go/hg context in new distfiles location + mandb: permit to read inherited cron files + selinuxutil: do not audit load_policy trying to use portage ptys + selinuxutil: permit run_init to read kernel sysctl + portage: add misc mising rules + smartmon: allow smartd to read fsadm_db_t files + smartmon: add domain for update-smart-drivedb + dovecot: add missing permissions + +Dave Sugar (21): + rng-tools updated to 6.15 (on RHEL9) seeing the following denials: + Allow local login to read /run/motd + Label pwhistory_helper + If domain can read system_dbusd_var_lib_t files, also allow symlinks + systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. + To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf + Allow iceauth write to xsession log + Allow system_dbusd_t to start/stop all units + Updates for utempter + Allow display manager to read hwdata + Allow search xdm_var_run_t directories along with reading files. + Solve issue with no keyboard/mouse on X login screen + separate label for /etc/security/opasswd + Fix some ssh agent denials + For systemd-hostnamed service to run + Allow rsyslog to drop capabilities + /var/lib/sddm should be xdm_var_lib_t + resolve lvm_t issues at shutdown with LUKS encrypted devices + Allow all users to (optionally) send syslog messages + Resolve some denials with colord + separate domain for journalctl during init + +David Sommerseth (1): + openvpn: Allow netlink genl + +Florian Schmidt (1): + Add label and interfaces for kernel PSI files + +George Zenner (1): + Signed-off-by: George Zenner + +Grzegorz Filo (3): + Shell functions used during boot by initrc_t shall be bin_t and defined in + corecommands.fc + Dir transition goes with dir create perms. + Keep context of blkid file/dir when created by zpool. + +Guido Trentalancia (47): + The pulseaudio daemon and client do not normally need to use the network + for most computer systems that need to play and record audio. + The kernel domain should be able to mounton runtime directories during + switch_root, otherwise parts of the boot process might fail on some + systems (for example, the udev daemon). + The kernel domain should be able to mounton default directories during + switch_root. + The pulseaudio module should be able to read alsa library directories. + Fix the pulseaudio module file transition for named sockets in tmp + directories. + Fix the dbus module so that automatic file type transitions are used not + only for files and directories, but also for named sockets. + Fix the dbus module so that temporary session named sockets can be read + and written in the role template and by system and session bus clients. + Update the dbus role template so that permissions to get the attributes of + the proc filesystem are included. + Let pulseaudio search debugfs directories, as currently done with other + modules. + Separate the tunable permissions to write xserver tmpfs files from the + tunable permissions to write X server shared memory. + Fix a security bug in the xserver module (interfaces) which was wrongly + allowing an interface to bypass existing tunable policy logic related + to X shared memory and xserver tmpfs files write permissions. + Add missing permissions to execute binary files for the evolution_alarm_t + domain. + Add the permissions to manage the fonts cache (fontconfig) to the window + manager role template. + Add permissions to watch libraries directories to the userdomain login + user template interface. + Update the xscreensaver module in order to work with the latest version + (tested with version 6.06). + Include the X server tmpfs rw permissions in the X shared memory write + access tunable policy under request from Christoper PeBenito. + Revert the following commit (ability to read /usr files), as it is no + longer needed, after the database file got its own label: + Update the kernel module to remove misplaced or at least really obsolete + permissions during kernel module loading. + Introduce a new "logging_syslog_can_network" boolean and make the + net_admin capability as well as all corenetwork permissions previously + granted to the syslog daemon conditional upon such boolean being true. + Let the openoffice domain manage fonts cache (fontconfig). + Update the openoffice module so that it can create Unix stream sockets + with its own label and use them both as a client and a server. + Let mplayer to act as a dbus session bus client (needed by the vlc media + player). + Add permissions to read device sysctls to mplayer. + Remove misplaced permission from mount interface mount_exec. + Remove a vulnerability introduced by a logging interface which allows to + execute log files. + Improved wording for the new xserver tunable policy booleans introduced + with the previous three commits. + Fix another security bug companion of the one fixed in the following + previous commit: + Fix another security bug similar to the ones that have been recently fixed + in the following two commits: + Remove duplicate permissions in the xserver module + xserver_restricted_role() interface. + Dbus creates Unix domain sockets (in addition to listening on and + connecting to them), so its policy module is modified accordingly. + Remove a logging interface from the userdomain module since it has now + been moved to the xscreensaver domain. + Create a new specific file label for the random seed file saved before + shutting down or rebooting the system and rework the interface needed + to manage such file. + Fix the shutdown policy in order to make use of the newly created file + label and interface needed to manage the random seed file. + Update the gpg module so that the application is able to fetch new keys + from the network. + Dbus creates Unix domain sockets not only for the system bus, but also for + the session bus (in addition to connecting to them), so its policy + module is modified accordingly. + Update the gnome module so that the gconf daemon is able to create Unix + domain sockets and accept or listen connections on them. + Fix the recently introduced "logging_syslog_can_network" tunable policy, + by including TCP/IP socket creation permissions. + Introduce a new interface in the mta module to manage the mail transport + agent configuration directories and files. + Add new gpg interfaces for gpg_agent execution and to avoid auditing + search operations on files and directories that are not strictly needed + and might pose a security risk. + Extend the scope of the "spamassassin_can_network" tunable policy boolean + to all network access (except the relative dontaudit rules). + Update the spamassassin module in order to better support the rules + updating script; this achieved by employing two distinct domains for + increased security and network isolation: a first domain is used for + fetching the updated rules from the network and second domain is used + for verifying the GPG signatures of the received rules. + Under request from Christopher PeBenito, merge the two spamassassin rules + updating SELinux domains introduced in the previous change in order to + reduce the non-swappable kernel memory used by the policy. + Introduce a new "dbus_can_network" boolean which controls whether or not + the dbus daemon can act as a server over TCP/IP networks and defaults + to false, as this is generally insecure, except when using the local + loopback interface. + Introduce two new booleans for the X server and X display manager domains + which control whether or not the respective domains allow the TCP/IP + server networking functionality. + The X display manager uses an authentication mechanism based on an + authorization file which is critical for X security. + Merge branch 'main' into x_fixes_pr2 + Let openoffice perform temporary file transitions and manage link files. + +Kenton Groombridge (68): + corenet: add portcon for kubernetes + kubernetes: initial policy module + sysadm: allow running kubernetes + crio: new policy module + crio, kubernetes: allow k8s admins to run CRI-O + container: add type for container plugins + various: fixes for kubernetes + kubernetes: add policy for kubectl + various: fixes for kubernetes + container, kernel: add tunable to allow spc to create NFS servers + container: add tunable to allow containers to use huge pages + container, kubernetes: add private type for generic container devices + container: add tunable to use dri devices + container, kubernetes: add rules for device plugins running as spc + various: allow using glusterfs as backing storage for k8s + container, miscfiles: transition to s0 for public content created by + containers + container: add tunable to allow spc to use tun-tap devices + container: correct admin_pattern() usage + systemd: add policy for systemd-pcrphase + hddtemp: add missing rules for interactive usage + netutils: minor fixes for nmap and traceroute + container: add rules required for metallb BGP speakers + filesystem, init: allow systemd to setattr on ramfs dirs + logging: allow domains sending syslog messages to connect to kernel unix + stream sockets + init, sysadm: allow sysadm to manage systemd runtime units + podman: allow podman to stop systemd transient units + userdom: allow admin users to use tcpdiag netlink sockets + container: allow container admins the sysadm capability in user namespaces + postfix: allow postfix master to map data files + sasl: add filecon for /etc/sasl2 keytab + obj_perm_sets: add mmap_manage_file_perms + various: use mmap_manage_file_perms + postfix, sasl: allow postfix smtp daemon to read SASL keytab + various: fixes for libvirtd and systemd-machined + portage: label eix cache as portage_cache_t + container: add missing filetrans and filecon for containerd/docker + container, init, systemd: add policy for quadlet + container: fixes for podman 4.4.0 + container: fixes for podman run --log-driver=passthrough + node_exporter: various fixes + redis: add missing rules for runtime filetrans + podman, selinux: move lines, add missing rules for --network=host + netutils: fixes for iftop + kernel, zfs: add filetrans for kernel creating zpool cache file + zfs: allow sending signals to itself + zfs: add runtime filetrans for dirs + init: make init_runtime_t useable for systemd units + various: make /etc/machine-id etc_runtime_t + init, systemd: allow init to create userdb runtime symlinks + init: allow initrc_t to getcap + systemd: allow systemd-userdbd to getcap + logging: allow systemd-journald to list cgroups + fs, udev: allow systemd-udevd various cgroup perms + logging, systemd: allow relabelfrom,relabelto on systemd journal files by + systemd-journald + files, systemd: allow systemd-tmpfiles to relabel config file symlinks + systemd: add rules for systemd-zram-generator + systemd: allow systemd-pcrphase to read generic certs + fs, init: allow systemd-init to set the attributes of efivarfs files + init: allow systemd-init to set the attributes of unallocated terminals + systemd: allow systemd-resolved to bind to UDP port 5353 + init: allow initrc_t to create netlink_kobject_uevent_sockets + raid: allow mdadm to read udev runtime files + raid: allow mdadm to create generic links in /dev/md + fstools: allow fsadm to read utab + glusterfs: allow glusterd to bind to all TCP unreserved ports + kubernetes: allow kubelet to read etc runtime files + chromium: allow chromium-naclhelper to create user namespaces + container: rework capabilities + +Luca Boccassi (4): + Set label systemd-oomd + Add separate label for cgroup's memory.pressure files + systemd: also allow to mounton memory.pressure + systemd: allow daemons to access memory.pressure + +Mathieu Tortuyaux (1): + container: fix cilium denial + +Oleksii Miroshko (1): + Fix templates parsing in gentemplates.sh + +Pat Riehecky (1): + container: set default context for local-path-provisioner + +Renato Caldas (1): + kubernetes: allow kubelet to read /proc/sys/vm files. + +Russell Coker (23): + This patch removes deprecated interfaces that were deprecated in the + 20210203 release. I think that 2 years of support for a deprecated + interface is enough and by the time we have the next release out it + will probably be more than 2 years since 20210203. + This patch removes deprecated interfaces that were deprecated in the + 20210203 release. I think that 2 years of support for a deprecated + interface is enough and by the time we have the next release out it + will probably be more than 2 years since 20210203. + eg25-manager (Debian package eg25-manager) is a daemon aimed at + configuring and monitoring the Quectel EG25 modem on a running system. + It is used on the PinePhone (Pro) and performs the following functions: + * power on/off * startup configuration using AT commands * AGPS + data upload * status monitoring (and restart if it becomes + unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager + iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus + proxy Industrial I/O subsystem is intended to provide support for + devices that in some sense are analog to digital or digital to analog + convertors . Devices that fall into this category are: * ADCs * + Accelerometers * Gyros * IMUs * Capacitance to Digital Converters + (CDCs) * Pressure Sensors * Color, Light and Proximity Sensors * + Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital + Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain + Amplifiers (VGA, PGA) + Fixed dependency on unconfined_t + Comment sysfs better + Daemon to control authentication for Thunderbolt. + Daemon to monitor memory pressure and notify applications and change … + (#670) + switcheroo is a daemon to manage discrete vs integrated GPU use for apps + policy for power profiles daemon, used to change power settings + some misc userdomain fixes + debian motd.d directory (#689) + policy for the Reliability Availability servicability daemon (#690) + policy patches for anti-spam daemons (#698) + Added tmpfs file type for postgresql Small mysql stuff including + anon_inode + small ntp and dns changes (#703) + small network patches (#707) + small storage changes (#706) + allow jabbers to create sock file and allow matrixd to read sysfs (#705) + small systemd patches (#708) + misc small patches for cron policy (#701) + mon.te patches as well as some fstools patches related to it (#697) + misc small email changes (#704) + +Yi Zhao (8): + systemd: add capability sys_resource to systemd_userdbd_t + systemd: allow systemd-sysctl to search directories on ramfs + systemd: allow systemd-resolved to search directories on tmpfs and ramfs + mount: allow mount_t to get attributes for all directories + loadkeys: do not audit attempts to get attributes for all directories + systemd: allow systemd-networkd to create file in /run/systemd directory + systemd: allow journalctl to create /var/lib/systemd/catalog + bind: fix for named service + +freedom1b2830 (1): + mplayer:vlc paths + * Tue Nov 01 2022 Chris PeBenito - 2.20221101 Chris PeBenito (46): systemd: Drop systemd_detect_virt_t. diff --git a/VERSION b/VERSION index f14c5b1750..d777ff610f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20221101 +2.20231002